Your SlideShare is downloading. ×
Workprogram - Microsoft Word 2000 version
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Introducing the official SlideShare app

Stunning, full-screen experience for iPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Workprogram - Microsoft Word 2000 version

350
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
350
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Business Continuity Planning Booklet – December 2007 BUSINESS CONTINUITY PLANNING WORKPROGRAM EXAMINATION OBJECTIVE: Determine the quality and effectiveness of the organization’s business continuity planning process, and determine whether the continuity testing program is sufficient to demonstrate the financial institution’s ability to meet its continuity objectives. These procedures will disclose the adequacy of the planning and testing process for the organization to recover, resume, and maintain operations after disruptions, ranging from minor outages to full-scale disasters. This workprogram can be used to assess the adequacy of the business continuity planning process on an enterprise-wide basis or across a particular line of business. Depending on the examination objectives, a line of business can be selected to sample how the organization’s continuity planning or testing processes work on a micro level or for a particular business function or process. This workprogram is not intended to be an audit guide; however, it was developed to be comprehensive and assist examiners in determining the effectiveness of a financial institution’s business continuity planning and testing program. Examiners may choose to use only certain components of the workprogram based upon the size, complexity, and nature of the institution’s business. The objectives and procedures are divided into Tier I and Tier II:  Tier I assesses an institution’s process for identifying and managing risks;  Tier II provides additional verification where risk is evident. Tier I and Tier II objectives and procedures are intended to be a tool set examiners may use when selecting examination procedures for their particular examination. Examiners should use these procedures as necessary to support examination objectives. FFIEC IT Examination Handbook Page 1
  • 2. Business Continuity Planning Booklet – December 2007 Tier I Objectives and Procedures Work Paper Reference Comment Objective 1: Determine examination scope and objectives for reviewing the business continuity planning program 1. Review examination documents and financial institution reports for out- standing issues or problems. Consid- er the following: ▪ Pre-examination planning memos; ▪ Prior regulatory reports of examination; ▪ Prior examination workpapers; ▪ Internal and external audit reports, including SAS 70 reports; ▪ Business continuity test results; and ▪ The financial institution’s overall risk assessment and profile. 2. Review management’s response to audit recommendations noted since the last examination. Consider the following: ▪ Adequacy and timing of corrective action; ▪ Resolution of root causes rather than just specific audit deficiencies; ▪ Existence of any outstanding issues; and ▪ Monitoring systems used to track the implementation of FFIEC IT Examination Handbook Page 2
  • 3. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment recommendations on an on-going basis. 3. Interview management and review the business continuity request in- formation to identify: ▪ Any significant changes in management, business strategies or internal business processes that could affect the business recovery process; ▪ Any material changes in the audit program, scope, or schedule related to business continuity activities; ▪ IT environments and changes to configuration or components; ▪ Changes in key service providers (technology, communication, back- up/recovery, etc.) and software vendors; and ▪ Any other internal or external factors that could affect the business continuity process. 4. Determine management’s considera- tion of newly identified threats and vulnerabilities to the organization’s business continuity process. Con- sider the following: ▪ Technological and security vulnerabilities; ▪ Internally identified threats; and ▪ Externally identified threats (including security alerts, pandemic alerts, or FFIEC IT Examination Handbook Page 3
  • 4. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment emergency warnings published by information sharing organizations or local, state, and federal agencies). 5. Establish the scope of the examina- tion by focusing on those factors that present the greatest degree of risk to the institution or service provider. BOARD AND SENIOR MANAGEMENT OVERSIGHT Objective 2: Determine the quality of business continuity plan (BCP) oversight and support provided by the board and senior management. 1. Determine whether the board has established an on-going, process- oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitoring and testing. Overall, this planning process should encompass the organization’s business continuity strategy, which is the ability to recover, resume, and maintain all critical business functions. 2. Determine whether a senior manag- er or committee has been assigned responsibility to oversee the devel- opment, implementation, and main- tenance of the BCP and the testing program. 3. Determine whether the board and FFIEC IT Examination Handbook Page 4
  • 5. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment senior management has ensured that integral groups are involved in the business continuity process (e.g. business line management, risk management, IT, facilities manage- ment, and audit). 4. Determine whether the board and senior management have established an enterprise-wide BCP and testing program that addresses and validates the continuity of the institution’s mission critical operations. 5. Determine whether the board and senior management review and ap- prove the BIA, risk assessment, written BCP, testing program, and testing results at least annually and document these reviews in the board minutes. 6. Determine whether the board and senior management oversee the timely revision of the BCP and test- ing program based on problems not- ed during testing and changes in business operations. BUSINESS IMPACT ANALYSIS (BIA) AND RISK ASSESSMENT Objective 3: Determine if an adequate BIA and risk assessment have been completed. 1. Determine whether the a work flow analysis was performed to ensure that all departments and business processes, as well as their related in- terdependencies, were included in the BIA and risk assessment FFIEC IT Examination Handbook Page 5
  • 6. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment 2. Review the BIA and risk assessment to determine whether the prioritiza- tion of business functions is ade- quate. 3. Determine whether the BIA identi- fies maximum allowable downtime for critical business functions, ac- ceptable levels of data loss and backlogged transactions, recovery time objectives (RTOs), recovery point objectives (RPOs), recovery of the critical path (business processes or systems that should receive the highest priority), and the costs asso- ciated with downtime 4. Review the risk assessment and de- termine whether it includes the im- pact and probability of disruptions of information services, technology, personnel, facilities, and services provided by third-parties, including: ▪ Natural events such as fires, floods, severe weather, air contaminants, and hazardous spills; ▪ Technical events such as communication failure, power failure, equipment and software failure, transportation system disruptions, and water system disruptions; ▪ Malicious activity including fraud, theft or blackmail; sabotage; vandalism and looting; and terrorism; and FFIEC IT Examination Handbook Page 6
  • 7. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment ▪ Pandemics. 3. Verify that reputation, operational, compliance, and other risks, that are relevant to the institution are consid- ered in the BIA and risk assessment. RISK MANAGEMENT Objective 4: Determine whether appropriate risk management over the business continuity process is in place. 1. Determine whether adequate risk mitigation strategies have been con- sidered for: ▪ Alternate locations and capacity for: - Data centers and computer operations; - Back-room operations; - Work locations for business functions; and - Telecommunications and remote computing. ▪ Back-up of: - Data; - Operating systems; - Applications; - Utility programs; and - Telecommunications; ▪ Secure and up-to-date off- site storage of: - Back-up media; - Supplies; - BCP; and - System documentation (e.g. FFIEC IT Examination Handbook Page 7
  • 8. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment topologies; inventory listing; firewall, router, and network configurations; operating procedures). ▪ Alternate power supplies (e.g. Uninterruptible power source, back-up generators); ▪ Recovery of data (e.g. backlogged transactions, reconciliation procedures); and ▪ Preparation for return to normal operations once the permanent facilities are available. 2. Determine whether satisfactory con- sideration has been given to geo- graphic diversity for: ▪ Alternate facilities; ▪ Alternate processing locations; ▪ Alternate telecommunications; ▪ Alternate staff; and ▪ Off-site storage. 3. Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management FFIEC IT Examination Handbook Page 8
  • 9. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment (responsibility for disaster declaration and dealing with outside parties); ▪ Incident response; ▪ Remote access; ▪ Employee training; ▪ Notification standards (employees, customers, regulators, vendors, service providers); ▪ Insurance; and ▪ Government and community coordination. 4. Determine whether personnel are regularly trained in their specific re- sponsibilities under the plan(s) and whether current emergency proce- dures are posted in prominent loca- tions throughout the facility. 5. Determine whether the continuity strategy addresses interdependent components, including: ▪ Utilities; ▪ Telecommunications; ▪ Third-party technology providers; ▪ Key suppliers/business partners; and ▪ Internal systems and business processes. 6. Determine whether there are ade- quate processes in place to ensure that a current BCP is maintained and disseminated appropriately. Consid- er the following: FFIEC IT Examination Handbook Page 9
  • 10. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment ▪ Designation of personnel who are responsible for maintaining changes in processes, personnel, and environment(s); and ▪ Timely distribution of revised plans to personnel. 7. Determine whether audit involve- ment in the business continuity pro- gram is effective, including: ▪ Audit coverage of the business continuity program; ▪ Assessment of business continuity preparedness during line(s) of business reviews; ▪ Audit participation in testing as an observer and as a reviewer of test plans and results; and ▪ Documentation of audit findings. BUSINESS CONTINUITY PLANNING (BCP) - GENERAL Objective 5: Determine the existence of an appropriate enterprise-wide BCP 1. Review and verify that the written BCP: ▪ Addresses the recovery of each business unit/department/function/a pplication: - According to its priority ranking in the risk assessment; FFIEC IT Examination Handbook Page 10
  • 11. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment - Considering interdependencies among systems; and - Considering long-term recovery arrangements. ▪ Addresses the recovery of vendors and outsourcing arrangements. ▪ Take(s) into account: - Personnel; - Communication with employees, emergency personnel, regulators, vendors/suppliers, customers, and the media; - Technology issues (hardware, software, network, data processing equipment, telecommunications, remote computing, vital records, electronic banking systems, telephone banking systems, utilities); - Vendor(s) ability to service contracted customer base in the event of a major disaster or regional event: - Facilities; - Liquidity; - Security; - Financial disbursement (purchase authorities and expense reimbursement for senior management during a disaster); and - Manual operating FFIEC IT Examination Handbook Page 11
  • 12. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment procedures. ▪ Include(s) emergency preparedness and crisis management plans that: - Include an accurate contact tree, as well as primary and emergency contact information, for communicating with employees, service providers, vendors, regulators, municipal authorities, and emergency response personnel; - Define responsibilities and decision-making authorities for designated teams and/or staff members; - Explain actions to be taken in specific emergencies; - Defines the conditions under which the back-up site would be used; - Include procedures for notifying the back-up site; - Identify a current inventory of items needed for off-site processing; - Designate a knowledgeable public relations spokesperson; and - Identify sources of needed office space and equipment and a list of key vendors (hardware/software/telecom munications, etc.). FFIEC IT Examination Handbook Page 12
  • 13. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment BCP - HARDWARE, BACK-UP AND RECOVERY ISSUES Objective 6: Determine whether the BCP includes appropriate hardware back-up and recovery 1. Determine whether there is a com- prehensive, written agreement or contract for alternative processing or facility recovery. 2. If the organization is relying on in- house systems at separate physical locations for recovery, verify that the equipment is capable of indepen- dently processing all critical appli- cations. 3. If the organization is relying on out- side facilities for recovery, deter- mine whether the recovery site: ▪ Has the ability to process the required volume; ▪ Provides sufficient processing time for the anticipated workload based on emergency priorities; and ▪ Is available for use until the institution achieves full recovery from the disaster and resumes activity at the institution’s own facilities. 4. Determine how the recovery facili- ty’s customers would be accommo- dated if simultaneous disaster condi- tions were to occur to several cus- tomers during the same period of time. 5. Determine whether the organization ensures that when any changes (e.g. hardware or software upgrades or FFIEC IT Examination Handbook Page 13
  • 14. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment modifications) in the production en- vironment occur that a process is in place to make or verify a similar change in each alternate recovery lo- cation 6. Determine whether the organization is kept informed of any changes at the recovery site that might require adjustments to the organization’s software or its recovery plan(s). BCP - SECURITY ISSUES Objective 7: Determine that the BCP includes appropriate security procedures. 1. Determine whether adequate physi- cal security and access controls exist over data back-ups and program li- braries throughout their life cycle, including when they are created, transmitted/delivered, stored, re- trieved, loaded, and destroyed. 2. Determine whether appropriate physical and logical access controls have been considered and planned for the inactive production system when processing is temporarily transferred to an alternate facility. 3. Determine whether the intrusion de- tection and incident response plan considers facility and systems changes that may exist when alter- nate facilities are used.x 4. Determine whether the methods by which personnel are granted tempo- FFIEC IT Examination Handbook Page 14
  • 15. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment rary access (physical and logical), during continuity planning imple- mentation periods, are reasonable. 5. Evaluate the extent to which back- up personnel have been reassigned different responsibilities and tasks when business continuity planning scenarios are in effect and if these changes require a revision to sys- tems, data, and facilities access. 6. Review the assignment of authenti- cation and authorization credentials to determine whether they are based upon primary job responsibilities and whether they also include busi- ness continuity planning responsibil- ities. BCP - PANDEMIC ISSUES Objective 8: Determine whether the BCP effectively addresses pandemic issues. 1. Determine whether the Board or a committee thereof and senior man- agement provide appropriate over- sight of the institution’s pandemic preparedness program. 2. Determine whether the BCP ad- dresses the assignment of responsi- bility for pandemic planning, preparing, testing, responding, and recovering. 3. Determine whether the BCP in- cludes the following elements, ap- propriately scaled for the size, activ- FFIEC IT Examination Handbook Page 15
  • 16. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment ities and complexities of the organi- zation: ▪ A preventive program to reduce the likelihood that an institution’s operations will be significantly affected by a pandemic event, including: monitoring of potential outbreaks, educating employees, communicating and coordinating with critical service providers and suppliers, and providing appropriate hygiene training and tools to employees. ▪ A documented strategy that provides for scaling the institution’s pandemic efforts so they are consistent with the effects of a particular stage of a pandemic outbreak, such as first cases of humans contracting the disease overseas, first cases within the United States, and first cases within the organization itself. ▪ A comprehensive framework of facilities, systems, or procedures that provide the organization the capability to continue its critical operations in the event that a large number of the institution’s staff are unavailable for prolonged FFIEC IT Examination Handbook Page 16
  • 17. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment periods. Such procedures could include social distancing to minimize staff contact, telecommuting, or conducting operations from alternative sites. ▪ A testing program to better ensure that the institution’s pandemic planning practices and capabilities are effective and will allow critical operations to continue. ▪ An oversight program to ensure ongoing reviews and updates to the pandemic plan, so that policies, standards, and procedures include up-to- date, relevant information provided by governmental sources or by the institution’s monitoring program. 4. Determine whether pandemic risks have been incorporated into the business impact analysis and whether continuity plans and strate- gies reflect the results of the analy- sis. 5. Determine whether the BCP ad- dresses management monitoring of alert systems that provide informa- tion regarding the threat and pro- gression of a pandemic. Further, de- termine if the plan provides for es- calating responses to the progress or FFIEC IT Examination Handbook Page 17
  • 18. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment particular stages of an outbreak. 6. Determine whether the BCP ad- dresses communication and coordi- nation with financial institution em- ployees and the following outside parties regarding pandemic issues: ▪ Critical service providers; ▪ Key financial correspondents; ▪ Customers; ▪ Media representatives; ▪ Local, state, and federal agencies; and ▪ Regulators. 7. Determine whether the BCP incor- porates management’s analysis of the impact on operations if essential functions or services provided by outside parties are disrupted during a pandemic. 8. Determine whether the BCP in- cludes continuity plans and other mitigating controls (e.g. social dis- tancing, teleworking, functional cross-training, and conducting oper- ations from alternative sites) to sus- tain critical internal and outsourced operations in the event large num- bers of staff are unavailable for long periods. 9. Determine whether the BCP ad- dresses modifications to normal compensation and absenteeism po- lices to be enacted during a pandem- ic. FFIEC IT Examination Handbook Page 18
  • 19. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment 10. Determine whether management has analyzed remote access require- ments, including the infrastructure capabilities and capacity that may be necessary during a pandemic. 11. Determine whether the BCP pro- vides for an appropriate testing pro- gram to ensure that continuity plans will be effective and allow the orga- nization to continue its critical oper- ations. Such a testing program may include: ▪ Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; ▪ Telecommuting to simulate and test remote access; ▪ Internal and external communications processes and links; ▪ Table top operations exercises; and ▪ Local, regional, or national testing/exercises. BCP - OUTSOURCED ACTIVITIES Objective 9: Determine whether the BCP addresses critical outsourced activities. 1. Determine whether the BCP ad- dresses communications and con- nectivity with technology service providers (TSPs) in the event of a FFIEC IT Examination Handbook Page 19
  • 20. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment disruption at the institution. 2. Determine whether the BCP ad- dresses communications and con- nectivity with TSPs in the event of a disruption at any of the service provider’s facilities. 3. Determine whether there are docu- mented procedures in place for ac- cessing, downloading, and upload- ing information with TSPs, corre- spondents, affiliates and other ser- vice providers, from primary and re- covery locations, in the event of a disruption. 4. Determine whether the institution has a copy of the TSPs’ BCP and in- corporates it, as appropriate, into its plans. 5. Determine whether management has received and reviewed testing re- sults of their TSPs. 6. When testing with the critical ser- vice providers, determine whether management considered testing: ▪ From the institution’s primary location to the TSPs’ alternative location; ▪ From the institution’s alternative location to the TSPs’ primary location; and ▪ From the institution’s alternative location to the TSPs’ alternative location. FFIEC IT Examination Handbook Page 20
  • 21. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment 7. Determine whether institution man- agement has assessed the adequacy of the TSPs’ business continuity program through their vendor man- agement program (e.g. contract re- quirements, SAS 70 reviews). RISK MONITORING AND TESTING Objective 10: Determine whether the BCP testing program is sufficient to demonstrate the fi- nancial institution’s ability to meet its continuity objectives. TESTING POLICY 1. Determine whether the institution has a business continuity testing pol- icy that sets testing expectations for the enterprise-wide continuity func- tions, business lines, support func- tions, and crisis management. 2. Determine whether the testing poli- cy identifies key roles and responsi- bilities of the participants in the test- ing program. 3. Determine whether the testing poli- cy establishes a testing cycle with increasing levels of test scope and complexity. TESTING STRATEGY 1. Determine whether the institution has a business continuity testing strategy that includes documented test plans and related testing scenar- ios, testing methods, and testing schedules and also addresses expec- FFIEC IT Examination Handbook Page 21
  • 22. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment tations for mission critical business lines and support functions, includ- ing: ▪ The scope and level of detail of the testing program; ▪ The involvement of staff, technology, and facilities; ▪ Expectations for testing internal and external interdependencies; and ▪ An evaluation of the reasonableness of assumptions used in developing the testing strategy. 2. Determine whether the testing strat- egy articulates management’s as- sumptions and whether the assump- tions (e.g. available resources and services, length of disruption, test- ing methods, capacity and scalabili- ty issues, and data integrity) appear reasonable based on a cost/benefit analysis and recovery and resump- tion objectives. 3. Determine whether the testing strat- egy addresses the need for enter- prise-wide testing and testing with significant third-parties. 4. Determine whether the testing strat- egy includes guidelines for the fre- quency of testing that are consistent with the criticality of business func- tions, RTOs, RPOs, and recovery of the critical path, as defined in the FFIEC IT Examination Handbook Page 22
  • 23. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment BIA and risk assessment, corporate policy, and regulatory guidelines. 5. Determine whether the testing strat- egy addresses the documentation re- quirements for all facets of the con- tinuity testing program, including test scenarios, plans, scripts, results, and reporting. 6. Determine whether the testing strat- egy includes testing the effective- ness of an institution’s crisis man- agement process for responding to emergencies, including: ▪ Roles and responsibilities of crisis management group members; ▪ Risk assumptions; ▪ Crisis management decision process; ▪ Coordination with business lines, IT, internal audit, and facilities management; ▪ Communication with internal and external parties through the use of diverse methods and devices (e.g., calling trees, toll-free telephone numbers, instant messaging, websites); and ▪ Notification procedures to follow for internal and external contacts. 7. Determine whether the testing strat- egy addresses physical and logical FFIEC IT Examination Handbook Page 23
  • 24. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment security considerations for the facili- ty, vital records and data, telecom- munications, and personnel. EXECUTION, EVALUATION, AND RE-TESTING 1. Determine whether the institution has coordinated the execution of its testing program to fully exercise its business continuity planning pro- cess, and whether the test results demonstrate the readiness of em- ployees to achieve the institution’s recovery and resumption objectives (e.g. sustainability of operations and staffing levels, full production re- covery, achievement of operational priorities, timely recovery of data). 2. Determine whether test results are analyzed and compared against stat- ed objectives; test issues are as- signed ownership; a mechanism is developed to prioritize test issues; test problems are tracked until reso- lution; and recommendations for fu- ture tests are documented. 3. Determine whether the test process- es and results have been subject to independent observation and assess- ment by a qualified third party (e.g., internal or external auditor). 4. Determine whether an appropriate level of re-testing is conducted in a timely fashion to address test prob- lems or failures. FFIEC IT Examination Handbook Page 24
  • 25. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment TESTING EXPECTATIONS FOR CORE FIRMS AND SIGNIFICANT FIRMS Note: The following testing expectations only apply to core and significant firms as defined by interagency guidelines. 1 Core firms are defined as organizations that perform core clearing and settlement activities in criti- cal financial markets. Significant firms are defined as organizations that process a significant share of transactions in critical financial markets. For core and significant firms: 1. Determine whether core and signifi- cant firms have established a testing program that addresses their critical market activities and assesses the progress and status of the implemen- tation of the testing program to ad- dress BCP guidelines and applicable industry standards. 2. Determine the extent to which core and significant firms have demon- strated through testing or routine use that they have the ability to recover and, if relevant, resume operations within the specified time frames ad- dressed in the BCP guidelines and applicable industry standards. 3. Determine whether core and signifi- cant firm’s strategies and plans ad- dress wide-scale disruption scenar- ios for critical clearance and settle- ment activities in support of critical financial markets. Determine whether test plans demonstrate their ability to recover and resume opera- tions, based on guidelines defined by the BCP and applicable industry standards, from geographically dis- persed data centers and operations 1 Refer to the “Interagency Paper on Sound Practices to Strengthen the Resilience of the U.S. Financial System” issued by the Board of Governors of the Federal Reserve System, the Office of the Comptroller of the Currency, and the Securities and Exchange Commission. FFIEC IT Examination Handbook Page 25
  • 26. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment facilities. 4. Determine that back-up sites are able to support typical payment and settlement volumes for an extended period. 5. Determine that back-up sites are ful- ly independent of the critical infras- tructure components that support the primary sites. 6. Determine that the test assumptions are appropriate for core and signifi- cant firms and consider: ▪ Trained employees are located at the back-up site at the time of disruption; ▪ Back-up site employees are independent of the staff located at the primary site, at the time of disruption; and ▪ Back-up site employees are able to recover clearing and settlement of open transactions within the timeframes addressed in the BCP and applicable industry guidance. 7. Determine that the test assumptions are appropriate for core and signifi- cant firms and consider: ▪ Primary data centers and operations facilities that are completely inoperable without notice; ▪ Staff members at primary sites, who are located at both data centers and operations facilities, are FFIEC IT Examination Handbook Page 26
  • 27. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment unavailable for an extended period; ▪ Other organizations in the immediate area that are also affected; ▪ Infrastructure (power, telecommunications, transportation) that is disrupted; ▪ Whether data recovery or reconstruction necessary to restart payment and settlement functions can be completed within the timeframes defined by the BCP and applicable industry standards; and ▪ Whether continuity arrangements continue to operate until all pending transactions are closed. For core firms: 8. Determine whether the core firm’s testing strategy includes plans to test the ability of significant firms, which clear or settle transactions, to recover critical clearing and settle- ment activities from geographically dispersed back-up sites within a rea- sonable time frame. For significant firms: 9. Determine whether the significant firm has an external testing strategy that addresses key interdependen- cies, such as testing with third-party market providers and key customers. 10. Determine whether the significant firm’s external testing strategy in- cludes testing from the significant FFIEC IT Examination Handbook Page 27
  • 28. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment firm’s back-up sites to the core firms’ back-up sites. 11. Determine whether the significant firm meets the testing requirements of applicable core firms. 12. Determine whether the significant firm participates in “street” or mar- ket-wide tests sponsored by core firms, markets, or trade associations that tests the connectivity from alter- nate sites and includes transaction, settlement, and payment processes, to the extent practical. CONCLUSIONS 1. From the procedures performed: ▪ Determine the need to proceed to Tier II objectives and procedures for additional validation to support conclusions related to any of the Tier I objectives and procedures. ▪ Document conclusions related to the quality and effectiveness of the business continuity process. ▪ Determine and document to what extent, if any, you may rely upon the procedures performed by the internal and external auditors in determining the scope of the business continuity procedures. ▪ Document conclusions regarding the testing program and whether it is FFIEC IT Examination Handbook Page 28
  • 29. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment appropriate for the size, complexity, and risk profile of the institution. ▪ Document whether the institution has demonstrated, through an effective testing program, that it can meet its testing objectives, including those defined by management, the FFIEC, and applicable regulatory authorities. 2. Review your preliminary conclu- sions with the examiner-in-charge (EIC) regarding: ▪ Violations of law, rulings, regulations; ▪ Significant issues warranting inclusion as matters requiring board attention or recommendations in the report of examination; and ▪ The potential impact of your conclusions on composite and component ratings. 3. Discuss your findings with manage- ment and obtain proposed corrective action and deadlines for remedying significant deficiencies. 4. Document your conclusions in a memo to the EIC that provides re- port ready comments for all relevant sections of the report of examina- tion. 5. Organize and document your work papers to ensure clear support for FFIEC IT Examination Handbook Page 29
  • 30. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment significant findings and conclusions. Examiner Date Reviewer’s Initials FFIEC IT Examination Handbook Page 30
  • 31. Business Continuity Planning Booklet – December 2007 Tier I Objectives and Procedures Tier II objectives and examination procedures may be used to provide additional verification of the effectiveness of business continuity planning or identify potential root causes for weaknesses in the business continuity program. These procedures may be used in their entirety or selectively, depending on the scope of the examination and the need for additional verification. Examiners should coordinate this coverage with other examiners to avoid duplication of effort while reviewing various issues found in other work programs. The procedures provided in this section should not be construed as requirements for control implementation. The selection of controls and control implementation should be guided by the risk profile of the institution. Therefore, the controls necessary for any single institution or any given area may differ from those noted in the following procedures. Work Paper Reference Comment TESTING STRATEGY EVENT SCENARIOS Objective 1: Determine whether the testing strategy addresses various event scenarios, includ- ing potential issues encountered during a wide-scale disruption. 1. Determine whether the strategy ad- dresses staffing considerations, in- cluding: ▪ The ability to perform transaction processing and settlement; ▪ The ability to communicate with key internal and external stakeholders; ▪ The ability to reconcile transaction data; ▪ The accessibility, rotation, and cross training of staff necessary to support critical business operations; ▪ The ability to relocate or FFIEC IT Examination Handbook Page 31
  • 32. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment engage staff from alternate sites; ▪ Staff and management succession plans; ▪ Staff access to key documentation (plans, procedures, and forms); and ▪ The ability to handle increased workloads supporting critical operations for extended periods. 2. Determine whether the strategy ad- dresses technology considerations, including: ▪ Testing the data, systems, applications, and telecommunications links necessary for supporting critical financial markets; ▪ Testing critical applications, recovery of data, failover of the network, and resilience of telecommunications links; ▪ Incorporating the results of telecommunications diversity assessments and confirming telecommunications circuit diversity; ▪ Testing disruption events affecting connectivity, capacity, and integrity of data transmission; and ▪ Testing recovery of data lost when switching to out- of-region, asynchronous back-up facilities. FFIEC IT Examination Handbook Page 32
  • 33. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment 3. Determine whether the business line testing strategy addresses the facili- ties supporting the critical business functions and technology infrastruc- ture, including: ▪ Environmental controls – the adequacy of back-up power generators; heating, ventilation, and air conditioning (HVAC) systems; mechanical systems; and electrical systems; ▪ Workspace recovery – the adequacy of floor space, desk top computers, network connectivity, e- mail access, and telephone service; and ▪ Physical security facilities – the adequacy of physical perimeter security, physical access controls, protection services, and video monitoring. TEST PLANNING SCENARIOS - TEST CONTENT Objective 2: Determine if test plans adequately complement testing strategies. 1. Determine whether the test scenarios include a variety of threats and event types, a range of scenarios that reflect the full scope of the institution’s testing strategy, an increase in the complexity and scope of the tests, and tests of wide-scale disruptions over time. FFIEC IT Examination Handbook Page 33
  • 34. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment 2. Determine whether the scenarios in- clude detailed steps that demonstrate the viability of continuity plans, in- cluding: ▪ Deviation from established test scripts to include unplanned events, such as the loss of key individuals or services; and ▪ Tests of the ability to support peak transaction volumes from back-up facilities for extended periods. 3. Determine that test scenarios reflect key interdependencies. Consider the following: ▪ Whether plans include clients and counterparties that pose significant risks to the institution, and periodic connectivity tests are performed from their primary and contingency sites to the institution's primary and contingency sites; ▪ Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and ▪ Whether plans include testing or modeling of back-up telecommunications facilities and devices to ensure availability to key internal and external parties. FFIEC IT Examination Handbook Page 34
  • 35. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment PLANS: HOW THE INSTITUTION CONDUCTS TESTING #. Determine that the test plans and test scripts are documented and clearly reflect the testing strategy, that they encompass all critical busi- ness and supporting systems, and that they provide test participants with the information necessary to conduct tests of the institution’s continuity plans, including: ▪ Participants’ roles and responsibilities, defined decision makers, and rotation of test participants; ▪ Assigned command center and assembly locations; ▪ Test event dates and time stamps; ▪ Test scope and objectives, including RTOs, RPOs, recovery of the critical path, duration of tests, and extent of testing (e.g. connectivity, interoperability, transaction, capacity); ▪ Sequential, step-by-step procedures for staff and external parties, including instructions regarding transaction data and references to manual work-around processes, as needed; ▪ Detailed information regarding the critical platforms, applications and business processes to be recovered; ▪ Detailed schedules to FFIEC IT Examination Handbook Page 35
  • 36. Business Continuity Planning Booklet – December 2007 Work Paper Reference Comment complete each test; and ▪ A summary of test results (e.g. based on goals and objectives, successes and failures, and deviations from test plans or test scripts) using quantifiable measurement criteria. Examiner Date Reviewer’s Initials FFIEC IT Examination Handbook Page 36